Security News Ramnit Changes Shape with Widespread Black Botnet

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
A massive proxy botnet is just the tip of the iceberg, a warning sign of a bigger operation in the works by the Ramnit operators.

The recently uncovered “Black” botnet campaign using the Ramnit malware racked up 100,000 infections in the two months through July– but the offensive could just be a precursor to a much larger attack coming down the pike, according to researchers, thanks to a second-stage malware called Ngioweb.

Check Point Research said that the actors behind the Black botnet are mainly working on creating a network of malicious proxy servers; infected machines that together operate as a high-centralized botnet, “though its architecture implies division into independent botnets.”

In the Black operation, Ramnit malware, which is likely being distributed via spam campaigns, according to Check Point, is merely a first-stage malware. Ramnit has extensive information exfiltration capabilities stemming from its heritage as a banking trojan; but it also backdoors infected machines. In this case, it sets up a path for a malware called Ngioweb, marking a new chapter for the venerable old code, first seen in 2010.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” Check Point researchers explained in an analysis of the campaign posted on Sunday. “The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top